How effective are your password recovery settings?

Improving password recovery success rates

Limited time and resources are usually the two biggest constraints for password recovery. A live memory image could contain encryption keys and passwords, but what are the options if there is no such image available?

There are two important metrics for measuring effectiveness of password recovery: success rate and time spent. After all, we could do a full brute-force attack for all 16-character alpha-numeric passwords with 100% success rate, but waiting a billion years is not a viable option.

There is a lot of research to identify different patterns in passwords used, and the common view now is that there is no such thing as “the best” list of password recovery attacks. People choose different types of passwords to protect different types of data – corporate files, personal documents, or web accounts.

One of the questions we are asked often is, “How do I measure the efficiency of my set of password recovery attacks?”

That’s exactly the reason why Passware Kit now allows running password recovery attacks against a list of known passwords. For different types of passwords, this is the fastest way to see the success rate and estimate performance in real-life scenarios.

A single additional dictionary improved our password recovery rate to 97%! We have just checked that the default settings cover the most typical passwords, and that adding custom dictionaries could greatly improve the success rate.

Do you know any other tips or tricks to improve password recovery success rates?